Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

spackbace writes "The notorious, mysterious Source Code Club (SCC) has re-emerged, this time selling source code for a Cisco application in another blatant violation of copyright regulations.
Believed to be an anonymous collection of hackers, the SCC this week announced in a posting on a group Web site that it is offering the complete Cisco Pix 6.3.1 source code for US$24,000. Cisco Pix is a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks."

Nah. Merkey (from Merkey Research?, or was that his brother Paul?) is interested in copyright. Since I just gained read access to their repository of source code and was able to download it, I can only let him read the code;-) After all the SCC group is not selling the copyrights to Cisco's code either:-)

It is closed because they wrote the code and they have the right to release it as they please. They have to respsct your decision to open your source code and you have to respect theirs to keep theirs closed. It is a product that they sell. If they open the source, they lose much of the capibility to sell it. It's really not that hard to understand.

One can only marvel at the irony - someone stealing the source code for "a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks"!!!

It might be better to say that it only takes one socially talented individual talking to one idiot inside your organization. A real idiot will make some stupid mistake during the conversation that will make it abundantly clear, even to the slowest-witted, that they are not in fact your CEO.

I know slashdotters, make some shit up. Source code is worth nothing until it comes out of some good story.

A female russian spy escaped cisco with the source code after sneaking by an army of cisco security armed with AK-47s. She walked all the way to Ebay headquarters bearfoot and delivered 40 floppies in a pizza box. Her only weapon was a 10BaseT ethernet cable.

no, they couldnt. the analogy between IP and R(eal)Property is just that, an analogy. yes, many similar laws exist for both, but the laws for one do NOT apply to the other. there is no law against HAVING illegally copied software. unless you use the "running it is COPYing it into memory!" idiot's argument then RUNNING illegally copied software isnt illegal either. just copying it is. ill be posting higher in the tree another very interesting point.

Is there really such a thing in this day and age? That $24k has to go somewhere. Can't we just follow the money? It seems like this is the kind of thing that the feds would be all over. I see one of those huge multinational Interpol busts in about 5 weeks.

Actually, we ARE able to follow a lot of this money, the big transactions at least. More often than not, the money trail goes through very powerful banking interests who have an incentive to keep such trails hidden, and the enforcement falls to agents of governments who have an incentive not to break up these "hidden" economic networks. Read Modern Jihad for an excellent overview of the trail of money funding terrorism for example. The author makes the point that the economic network funding terrorism is also funding many above ground and legit enterprises, and that governments have resisted attacking economic networks that they too depend on for many things (including, ironically, many counterterrorism efforts). I would not be surprised to learn that the same point can be made about other forms of organized crime.

Yes it certainly will have to go somewhere. When dealing in multiple $24K transactions that place is a un-named, numbered account. Somewhere. I would put it in the Caymans or some such. In fact I would probably pass it around through a few such accounts in places with non-exctradition to 'clean' it up a bit. If you have enough of it, money laundering is shockingly simple in principle.

Is there really such a thing in this day and age? That $24k has to go somewhere. Can't we just follow the money? It seems like this is the kind of thing that the feds would be all over. I see one of those huge multinational Interpol busts in about 5 weeks.

I always thought it was income tax evasion but I could be wrong. Some states actually tax illegal drugs specifically (although it was ruled unconstitutional somewhere because it was in breach of double jeopardy laws). I'm pretty sure California's laws in this respect were mentioned on slashdot some time ago, but I can't find the specific article.

Also on offer, apparently, is the Enterasys Dragon IDS 6.1 intrusion detection system (IDS) software for $16,000 and an old Napster file sharing code, a snip at $10,000.

The original name behind the group was one Larry Hobbles who now seems to have disappeared. The Source Code Club is now said to be hawking a list of other stolen code to anyone who buys one full copy of the source code for sale.

hell, some time ago ppl used to "free" source code like this just for fun. only greedy kids [google.co.uk] nowadays it seems;)
and not smart... or very smart and this is a scam... If I were selling it, first thing would be to contact key agencies/companies anonymously, not this freak high-profile thing. sounds bad. and there are no md5 or something of a few files to prove it is the real thing.
Seen IOS and other srcs years ago... This is what they get for playing the closed source game: FEAR.:)

You obviously can't sell a product using this stolen code. A company can't exactly buy it and roll their own version.

So it's really only good if you want to look for bugs in PIX that you can exploit, and since this is being sold by a group of hackers, you can bet that they've already looked for everything possibly exploitable.

The value of this intellectual property is not defined by the cut-and-pasteability of source code into a company's product. Certainly, this is not the likely application for any would-be buyers. Instead, knowing how the #1 router company in the world implements stateful packet-filtering on an embedded device is a very worthy piece of knowledge that can be used as a basis for the design of anything that touches a packet.

In addition, Cisco spends hundreds of thousands of dollars in their support organization identifying hard-to-find interoperability issues and exception cases, testing things out in the lab, and then coding up fixes. All of these real-world experiences and corresponding code work-arounds that impact every other firewall/VPN/routing product on the market are captured in this source code.

Cisco PIXes have proprietary integration with third-party products, such as IDS systems, content-filtering proxies (e.g. WebSense), etc. This source code surely exposes these APIs, which are covered by Cisco's own NDA with these companies and are coveted by anyone trying to integrate with such closed-source commercial offerings.

If you follow (or try) the people that can read tcpdump (or simular) logging like plain english and then in turn generate the packets to interact (exploit) what they see. I doubt having pix source code would matter much.

Also the 'IDS' features of the pix are static and pretty mundane and not tied to the IDS product so i am sure most people know how to get around them.

With the advent of the US Patriot Act and the DMCA, they would prolly get away with whatever they want, since even simple downloaders of music are 'International Terrorists' under the standing laws... lol

Under normal conditions, I'd agree. These days, I'm not so sure. After 9/11, there were mnay hundreds of people who "vanished" in the US, reportedly under arrest, but it wasn't for several months that anyone could even get that confirmed and not always even then. I have honestly seen nothing to suggest that all those people have even been released or charged even today.

On that basis, a "sting" that ended up with an undisclosed arrest - or a pair of concrete boots - would not be unimaginable. Under either

Having the source to even a large program can be incredibly useful. Obtaining the source would lead to a higher level of understanding of the way Pix firewalls work. Knowing exactly how it is coded, being a closed-source product, you would now have the possiblity to have exclusive knowledge to flaws in the code.

Now, one hacker trying to sort through all of the code by oneself could take a very long while, unless it is well documented. Consider the possiblity that a hacker group acquired it. Say 12 hackers. You could divide it up and find flaws much quicker.

Given the wide use of Pix firewalls, it could end up being a skeleton key to thousands of corporate networks, assuming of course that it is the real deal.

Anyone who would pay for this would have to be an absolute idiot. First of all there is no guarantee the source code even the real thing. If it isn't as advertised, what are you going to do? Take an anonymous Russian hacking group that you knowingly bought stoken IP from to court? It's like the guy who calls the police and files a report about his pot stash being stolen.

I know it's probably not, I'd be impressed if law enforcement was smart enough to try this, and it would likely be viewed as entrapment if they did, but...

puts on tinfoil hat

suppose for just a minute that you wanted to contact, trace, and/or otherwise smoke out large numbers of people interested in buying source code to security applications. Might one approach be to (a) publicize a code theft(b) pose as a 'known' hacker organization selling the code(c) fully investigate everyone who contacts you

Take the number of vehicles in the field, (A), and multiply it by the probable rate of failure, (B), then multiply the result by the average out-of-court settlement, (C). A times B times C equals X[SNIP]If X is less than the cost of a recall, we don't do one.

Geez, 6.3.1 is so old, I've already had to upgrade my Pix twice due to software errors that would cause the box to reset itself under moderate load. Current version is 6.3.4, and there have been a load of fixes. Maybe someone will want to buy it so they can write their own fixes & see if they work better than Cisco's updated version.

I've thought (sterotypically) that old Eastern block countries are backward and generally lawless (everything is for sale.) So ASS-U-ME'ing the thieves are from one of "those" countries, what's to prevent one of these companies that had their code "stolen" to put out a contract on those thieves? Once the word gets out, I think it would be a much more effective deterrant than say... a couple years in jail.

Um....ok, pretend I want to buy it, but I'm really a fed. How will they know when they try to collect? This seems like it would be mind boggling easy to catch them red handed, so if there's an angle I'm missing on this someone please fill me in.

Not that I particularly trust Cisco, but I wouldn't trust these guys - or any such shadowy group - without going through a MAJOR code audit first. Not sure I'd even pay 24,000 without some guarantee of getting the code.

The SCC team does not expect you to trust us. To address this problem, we will split up the information into many files and you may purchase each part for a fraction of the total price. As
your confidence grows with SCC, you may feel compelled to purchase these parts in bulk. Here is an example:
We are offering you a ~1 gigabyte compressed file for $10,000. We offer this file in 20 50 megabyte parts at $500 per part (10,000/20). You send us $500, we send you part 1. You send another $500, we send part 2. You choose to send $1000 and we
send parts 3 and 4, etc etc. The rate that you purchase pieces is entirely up to you. As your confidence grows, we know that you will choose bigger pieces.
We also include detailed instructions on how to decrypt and put together the peices, it is a simple process that can be done with
any unix computer.

The problem with this scheme is that critical elements of the source can be intentionally withheld and that those pieces could be sold in all likelihood at a ridiculous amount. I mean if a moronic company actually decided to buy source code from these guys, and they are spending $5,000 on each "piece" of the code, they will want the entire thing. This goes beyond just scamming the software companies... this is almost similar to a Nigerian 419 scam [rica.net] in a way.

I hate to be the only one to bring this up, but who says they are breaking copyright law? Assume they only have one copy, and they are selling THAT one copy. If a Cisco employee legally produced a copy of the source code then there is no *COPYRIGHT* law against that copy changing hands as many times as the possessor desires, for profit or otherwise. Yes, someone somewhere probably broke a contract, which carries separate legal ramifications, but in this scenario absolutely no copyright laws have been bro

Really, I really don't understand why this is a big deal. Anyone worth their salt in trying to take the code and develop the 'sploits doesn't need the source to get 'em. Many groups out there have already reverse-engineered the OS without the source and have plenty of 0-day exploits for the PIX, as well as Checkpoint and many other vendors. These groups are commerical R&D groups as well as hackers.

Between all the 0-days for Checkpoint and PIX, I honestly don't understand why anyone in their right mi

The only real reason to want the code is to find exploitable holes in the software. If you're paying 24k so you can do that you presumably want to use those exploits for a purpose. Releasing the sourcecode and risking exploits becoming public (and then patched) devalues your investment.

Sure. Yes. Pay 24k. Uh-hu. OK. Let me get my PayPal account set up. Ah, I have a buyer...
"Leave the money in a brown paper bag STOP Wear a false mustache and a pink carnation STOP Make sure the bills are unmarked STOP Either that, or five copies of that wonderful Microsoft Windows XP will do STOP thank you Mr Ballmer STOP"

Traced to where? To a country with laws favorable to them? Or maybe they rented a room using only cash and use that room as a mailbox. Hire a bum or trick a kid into picking the mail in case the house is surveiled.

The 'blatant' vs 'flagrant' distinction isn't between seen and heard, even though blatant's roots are from 'to blab'. The difference is that blatant describes something that's done in an exessively noticeable manner, where flagrant describes something that's done is so excessively it's noticeable. Note the difference.

The OED notes that in recent usage, balant is used to mean: obtrusive to the eye (rather than to the ear as in orig. senses); glaringly or defiantly conspicuous; palpably prominent or obvious. However, nothing in the Dictionary supports your specific characterization of flagrant "so excessive(ly) it's noticeable."

(As a side note, blatant is a word that Spenser made up to describe a thousand-tounged monster, while flagrant literally means flaming.)

From The American Heritage® Dictionary of the English Language, Fourth Edition: (emphasis mine)

It is not surprising that blatant and flagrant are often confused, since the words have overlapping meanings. Both attribute conspicuousness and offensiveness to certain acts. Blatant emphasizes the failure to conceal the act. Flagrant, on the other hand, emphasizes the serious wrongdoi

There's a big difference between the people who write closed source code and the people who steal other people's work. This really says nothing about the quality of open vs. closed source code, or the people who write either one. It simply restates the fact that there are people out there who will do anything they want for money.

I don't think they can. I mean, they might get away with it at the beginning...but time always catches up with them. It may take years, but in the end, they almost always get caught. There are plenty of slow, methodical crime investigators out there that will track them down. Plus, since Cisco is at the heart of this particular scam, don't you think they have a few people working for them that kinda-sorta know how to track things through the Net?

Of course, there's also the chance they could totally get away with it too...but not likely. Criminals always think they're smarter then the people after them, but they only have to make one mistake to kiss it all goodbye. Or just wait until the statute of limitations is up.

Just for yuks, you might want to consider M0n0wall [m0n0.ch]. I'm evaluating it for a client right now, and it's very impressive (BSD-based with a good PHP interface.) I'm running it on a PCEngines WRAP 1C-2 [pcengines.ch] board (cheaper & faster than Soekris) and it works a charm (I ditched my cantankerous PC firewall for this a while ago.)